Banana Pi R4 (BPI-R4) - DHCP for Multiple Subnets

[Jarret B]

We are going to set up the Banana Pi R4 as a DHCP server that assigns IP addresses on multiple subnets.

The Banana Pi R3 has four 1-gigabit Ethernet ports, which we will use to create four subnets. These four subnets will allow traffic to be routed between them. There are three Local Area Network (LAN) ports and one Wide Area Network (WAN) port. Which we will connect the WAN port to the local network that is connected to the Internet. The three remaining ports will allow for three networks that are given automatic IP addresses through Dynamic Host Configuration Protocol (DHCP). The BPI-R4 will allow packets to be routed between the subnets and even to the Internet on the WAN port.

DHCP Server

To start, I am using the same board as I discussed in the article 'Banana Pi R4 (BPI-R4)'. The configuration is the same since I am using the setup with the NVMe as the root partition.

Keep in mind that we will label the four ports as 'lan0', 'lan1', 'lan2 and 'lan3'. The 'lan0' port is on the left, as you look at the openings of the ports, and 'lan3' is on the right. For connecting to your local network, you plug an Ethernet cable into 'lan0'.

So, before we manage the ports, let's install DHCP before we map the ports because we will need to assign an IP address as we bind the ports to specific subnets for use by the DHCP server.

To install DHCP, use the command:

apt install isc-dhcp-server -y

This will install the DHCP service we need to assign IP addresses to systems that will be on the three subnets. I assume that the subnet you will connect the WAN port already has a DHCP server and the gateway to the Internet. On my network, this subnet is 192.168.1.0/24, and the gateway is 192.168.1.1.

Routing Setup

So, let's go over what we will accomplish. The four ports will each have a static IP address. We will set everything up so that the interfaces can all connect to one another. The last step is to set up the connection to the WAN with 'iptables' to allow for routing to the Internet through the gateway at 192.168.1.1. We will also set up the static IP addresses for the ports.

Let's first look at the file '/etc/dhcp/dhcpd.conf' file. Here, we will set a few things:

• Lease time
• Max Lease time
• Authority
• DDNS update style
• Default Domain Name
• DNS Servers
• Subnets
• Gateway
• DHCP IP ranges

Edit the file and you'll need to put in the following information, changing the options you need that will be specific to your network:

# /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style none;
option domain-name "linux.org";
option domain-name-servers 8.8.8.8, 1.1.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers 192.168.1.1;
}

subnet 10.1.0.0 netmask 255.255.0.0 {
    range 10.1.0.10 10.1.255.254;
    option routers 10.1.0.1;
}
subnet 10.2.0.0 netmask 255.255.0.0 {
    range 10.2.0.10 10.2.255.254;
    option routers 10.2.0.1;
}
subnet 10.3.0.0 netmask 255.255.0.0 {
    range 10.3.0.10 10.3.255.254;
    option routers 10.3.0.1;
}

The first section should be self-explanatory. This gives the information to all systems and devices that get an IP address from this DHCP server. The only item I want to mention here is 'authoritative'. On any subnets for which we set a range of IP addresses, this DHCP server will have the authority to assign IP addresses. You should not use this server to assign IP addresses on a subnet that already has a DHCP server. In my case, the subnet 192.168.1.0/24 already has a DHCP server, so I will not set a range of IP addresses for this subnet.

Now, there are four more sections, each starting with a subnet and netmask.

The first is the subnet '192.168.1.0'. This is our WAN that already has a DHCP server. After the subnet, you specify the netmask for the subnet. You then use an opening curly bracket ({) to define options for the subnet. On the next line, indented over, are any options that we need to set for the subnet. Since this is a subnet that already contains a DHCP server, we do not need a range of IP addresses it can lease out. All we need is to specify the gateway. We can do this with the parameter 'option routers' followed by the Gateway's address and a semicolon. Each line must end with a semicolon, except those that have curly brackets. The local network already has the Gateway IP Address set on my local network as '192.168.1.1'. We close the subnet declaration with a closing bracket (}) on the following line.

The next subnet is '10.1.0.0' with a subnet of '255.255.0.0'. We set up a range of IP addresses to be assigned to any devices on the subnet by using the parameter 'range'. The range we assign is '10.1.0.10' to '10.1.0.255.254'. We then set the subnet gateway to '10.1.0.1' for 'lan1', which is the second Ethernet port. We can set the gateway address on the next line, 'option routers'.

The next subnet is '10.2.0.0' with a netmask of '255.255.0.0'. The IP address range is '10.2.0.10' to '10.2.255.254' and a gateway of '10.2.0.1'. We set this to 'lan2'.

The last subnet is '10.3.0.0' with a netmask of '255.255.0.0'. The range of IP addresses is '10.3.0.10' to '10.3.255.254', and a gateway of '10.3.0.1'. We assign this to 'lan3'.

Now, you may look at the interface names 'lan0', 'lan1', 'lan2' and 'lan3'. If you run the command 'ip a', you will see the various port names of the interfaces. The four we are looking at are those I mentioned.

Next, we need to assign an IP address to each port. This is done with the file '/etc/netplan/01-network-manager-all.yaml'. If you open the file, it will have all the interfaces listed. We will need to add some settings for each interface. The result is:

network:
version: 2
renderer: networkd
ethernets:
    wlan0:
        dhcp4: no
        dhcp6: no
    wlan1:
        dhcp4: no
        dhcp6: no
    eth0:
      dhcp4: no
      dhcp6: no
   eth1:
      dhcp4: no
      dhcp6: no
   eth2:
      dhcp4: no
      dhcp6: no
   lan0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.1.70/24]
      nameservers:
      addresses: [8.8.8.8, 1.1.1.1]
      routes:
      - to: default
      via: 192.168.1.1
   lan1:
      dhcp4: no
      dhcp6: no
      addresses: [10.1.0.1/16]
      nameservers:
         addresses: [8.8.8.8, 1.1.1.1]
   lan2:
      dhcp4: no
      dhcp6: no
      addresses: [10.2.0.1/16]
      nameservers:
         addresses: [8.8.8.8, 1.1.1.1]
   lan3:
      dhcp4: no
      dhcp6: no
      addresses: [10.3.0.1/16]
      nameservers:
         addresses: [8.8.8.8, 1.1.1.1]

Set the 'renderer' to 'networkd' and not 'NetworkManager'. There are three lines we will add to each interface, but six for 'lan0'.

Start at 'lan0:' and add 'addresses:'. Here, we can set the static IP address for the interface to '192.168.1.70/24'. The '/24' is the netmask. On my local network, the range given by the DHCP server starts at '192.168.1.100', so '192.168.1.70' is available and unused on my network. On the next line is just 'nameservers' since we will assign DNS servers to the interface. The following line lists the DNS servers of '8.8.8.8, 1.1.1.1'. On the next line, we specify that we are going to set up a static route for the gateway. The following line lists the option 'to' and the value is 'default'. This shows it is the default gateway address. The next line is the gateway through the 'via' option of '192.168.1.1'.

Now, we go to the next interface of 'lan1'. We assign it a static IP Address, with a netmask. Here, we also specify the ‘nameservers’ to use. We can set out the following two subnets the same.

The next file to edit is '/etc/default/isc-dhcp-server'. In this file is a single line that we need to change. The line starts with 'INTERFACESv4='. Here, we need to specify the interfaces from which DHCP will give out IP addresses. The line is"lan1 lan2 lan3". We do not add 'lan0' since it already has a DHCP server.

NOTE: If you need a DHCP server for the 'lan0' interface, then you can add the interface here, and you will also need to set a range of addresses in '/etc/dhcp/dhcpd.conf'.

The last file you need to edit is '/etc/sysctl.conf'. You need to uncomment the line 'net.ipv4.ip_forward=1'. Remove the hash tag (#) in front of the line and set the value to '1'. Save the file and exit your editor. To make the changes take effect, you need to run the following command:

sysctl -p /etc/sysctl.conf

So, now we enable ‘Port Forwarding’, but we need to get all the changes we made to take effect immediately. Perform the following two commands to accomplish this:

netplan apply
systemctl restart isc-dhcp-server

You can verify the service restarted properly by running the following command and verify that it states the service is 'active':

systemctl status isc-dhcp-server

NOTE: If any errors occur when enabling the changes, you will need to check the files to verify that you got each line properly set.

We assigned an IP address to each interface. Assigning the new subnets to the interface that has an IP address within the created subnet.

If you have an Ethernet cable in the interface, then the port will be active and the IP address will be listed in the output from the command 'ip a'.

You should now be able to ping all the IP addresses on the interface we set. The problem is that we cannot access any device on the WAN yet, which means the Gateway and the Internet.

To fix this, we need to enable routing.

Routing Setup

Here, we will have a few commands to run and set up the routing. For the settings to load at boot, we save the settings.

Before adding any routing information, we need to verify that the proper file is being used to save the settings. Use the following command:

update-alternatives --config iptables

Make sure it shows the value 'iptables=legacy', which if it is not, you need to change it in the menu.

We have already set up ‘Port Forwarding’, so we need to control the traffic between the interfaces for returning traffic. Use the command:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Connections from the subnets to the Internet need to be enabled for each interface to go through 'lan0':

iptables -A FORWARD -i lan1 -o lan0 -j ACCEPT
iptables -A FORWARD -i lan2 -o lan0 -j ACCEPT
iptables -A FORWARD -i lan3 -o lan0 -j ACCEPT

Since we allowed outgoing traffic, we need to enable incoming traffic through 'lan0':

iptables -A FORWARD -i lan0 -o lan1 -j ACCEPT
iptables -A FORWARD -i lan0 -o lan2 -j ACCEPT
iptables -A FORWARD -i lan0 -o lan3 -j ACCEPT

We now need to allow for Network Address Translation (NAT):

iptables -t nat -a POSTROUTING -o lan0 -j MASQUERADE

You'll need to save these settings so they remain persistent. Install the packages, which will prompt you to save the existing settings. You may get an error on 'ipv6' settings since we did not set any options for it:

apt install iptables-persistent -y

During the installation, the system prompts you to save the current iptables settings. If you make changes later or miss the opportunity to save the settings, then just issue the command to save the settings:

netfilter-persistent save

The system saves the settings in '/etc/iptables/rules.v4' if you want to verify that they have been saved.

You should be able to access the Internet from any of the subnets.

Conclusion

This may look like it was simple, but this took more time to make it work.

Of course, this is not simply usable on the BPI-R4 but for any system that is multi-homed. A multi-homed system is one with multiple network interfaces. Once you have this system set up, you can use it as a proxy server, or some other services may work well since this system will be the center of the network. Basically, this is a router that manages multiple subnets.